metasploit | c246562d445a87510ca922f72562f5643774f534d87150b5ea419f33e152fd10

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
Size

152KB
MD5

677db9afd4a7dab39e559cbfcb8de21d
SHA1

ddd9249eae614e40c351f953a59f73a3c9a066a9
SHA256

c246562d445a87510ca922f72562f5643774f534d87150b5ea419f33e152fd10
SHA512

2a64376f0f7dcc42620ff7a41c7000f7385c95818c0771ef056720c438ea9c318f2f572052c1d0024c4ae2d17c6169a9c94de82151513d57c92ecd8123d7f92e
SSDEEP

3072:Rsre8BcmZEUfhWlzDVQxLAaC61PG1Ff/y+l44P:JyESwlDVeN1S44P

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2620	wmpnkt32.exe

Executes dropped EXE 23 IoCs

pid	Process
2244	wmpnkt32.exe
2620	wmpnkt32.exe
2552	wmpnkt32.exe
2732	wmpnkt32.exe
1628	wmpnkt32.exe
2240	wmpnkt32.exe
1424	wmpnkt32.exe
1316	wmpnkt32.exe
2148	wmpnkt32.exe
2400	wmpnkt32.exe
1032	wmpnkt32.exe
1556	wmpnkt32.exe
2100	wmpnkt32.exe
576	wmpnkt32.exe
1568	wmpnkt32.exe
2080	wmpnkt32.exe
1076	wmpnkt32.exe
544	wmpnkt32.exe
2524	wmpnkt32.exe
2632	wmpnkt32.exe
1960	wmpnkt32.exe
1468	wmpnkt32.exe
1244	wmpnkt32.exe

Loads dropped DLL 46 IoCs

pid	Process
340	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
340	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
2244	wmpnkt32.exe
2244	wmpnkt32.exe
2620	wmpnkt32.exe
2620	wmpnkt32.exe
2552	wmpnkt32.exe
2552	wmpnkt32.exe
2732	wmpnkt32.exe
2732	wmpnkt32.exe
1628	wmpnkt32.exe
1628	wmpnkt32.exe
2240	wmpnkt32.exe
2240	wmpnkt32.exe
1424	wmpnkt32.exe
1424	wmpnkt32.exe
1316	wmpnkt32.exe
1316	wmpnkt32.exe
2148	wmpnkt32.exe
2148	wmpnkt32.exe
2400	wmpnkt32.exe
2400	wmpnkt32.exe
1032	wmpnkt32.exe
1032	wmpnkt32.exe
1556	wmpnkt32.exe
1556	wmpnkt32.exe
2100	wmpnkt32.exe
2100	wmpnkt32.exe
576	wmpnkt32.exe
576	wmpnkt32.exe
1568	wmpnkt32.exe
1568	wmpnkt32.exe
2080	wmpnkt32.exe
2080	wmpnkt32.exe
1076	wmpnkt32.exe
1076	wmpnkt32.exe
544	wmpnkt32.exe
544	wmpnkt32.exe
2524	wmpnkt32.exe
2524	wmpnkt32.exe
2632	wmpnkt32.exe
2632	wmpnkt32.exe
1960	wmpnkt32.exe
1960	wmpnkt32.exe
1468	wmpnkt32.exe
1468	wmpnkt32.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/340-4-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-5-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-3-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-8-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-10-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-11-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-26-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2620-38-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2620-39-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2620-40-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2620-41-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2620-45-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2620-51-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2732-64-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2732-65-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2732-66-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2732-74-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2240-87-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2240-97-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1316-117-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2400-131-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2400-141-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1556-153-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1556-162-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/576-175-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/576-184-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2080-205-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/544-224-0x0000000002FB0000-0x0000000002FDA000-memory.dmp	upx
behavioral1/memory/544-228-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2632-238-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2632-244-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1468-255-0x00000000032D0000-0x00000000032FA000-memory.dmp	upx
behavioral1/memory/1468-259-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 24 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpnkt32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpnkt32.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpnkt32.exe
File created	C:\Windows\SysWOW64\wmpnkt32.exe	wmpnkt32.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 340	2200	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	30
PID 2244 set thread context of 2620	2244	wmpnkt32.exe	32
PID 2552 set thread context of 2732	2552	wmpnkt32.exe	34
PID 1628 set thread context of 2240	1628	wmpnkt32.exe	36
PID 1424 set thread context of 1316	1424	wmpnkt32.exe	38
PID 2148 set thread context of 2400	2148	wmpnkt32.exe	40
PID 1032 set thread context of 1556	1032	wmpnkt32.exe	42
PID 2100 set thread context of 576	2100	wmpnkt32.exe	44
PID 1568 set thread context of 2080	1568	wmpnkt32.exe	46
PID 1076 set thread context of 544	1076	wmpnkt32.exe	48
PID 2524 set thread context of 2632	2524	wmpnkt32.exe	50
PID 1960 set thread context of 1468	1960	wmpnkt32.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
340	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
340	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
2620	wmpnkt32.exe
2620	wmpnkt32.exe
2732	wmpnkt32.exe
2732	wmpnkt32.exe
2240	wmpnkt32.exe
2240	wmpnkt32.exe
1316	wmpnkt32.exe
1316	wmpnkt32.exe
2400	wmpnkt32.exe
2400	wmpnkt32.exe
1556	wmpnkt32.exe
1556	wmpnkt32.exe
576	wmpnkt32.exe
576	wmpnkt32.exe
2080	wmpnkt32.exe
2080	wmpnkt32.exe
544	wmpnkt32.exe
544	wmpnkt32.exe
2632	wmpnkt32.exe
2632	wmpnkt32.exe
1468	wmpnkt32.exe
1468	wmpnkt32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 340	2200	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 340	2200	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 340	2200	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 340	2200	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 340	2200	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 340	2200	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 340	2200	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	30
PID 340 wrote to memory of 2244	340	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	31
PID 340 wrote to memory of 2244	340	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	31
PID 340 wrote to memory of 2244	340	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	31
PID 340 wrote to memory of 2244	340	677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe	31
PID 2244 wrote to memory of 2620	2244	wmpnkt32.exe	32
PID 2244 wrote to memory of 2620	2244	wmpnkt32.exe	32
PID 2244 wrote to memory of 2620	2244	wmpnkt32.exe	32
PID 2244 wrote to memory of 2620	2244	wmpnkt32.exe	32
PID 2244 wrote to memory of 2620	2244	wmpnkt32.exe	32
PID 2244 wrote to memory of 2620	2244	wmpnkt32.exe	32
PID 2244 wrote to memory of 2620	2244	wmpnkt32.exe	32
PID 2620 wrote to memory of 2552	2620	wmpnkt32.exe	33
PID 2620 wrote to memory of 2552	2620	wmpnkt32.exe	33
PID 2620 wrote to memory of 2552	2620	wmpnkt32.exe	33
PID 2620 wrote to memory of 2552	2620	wmpnkt32.exe	33
PID 2552 wrote to memory of 2732	2552	wmpnkt32.exe	34
PID 2552 wrote to memory of 2732	2552	wmpnkt32.exe	34
PID 2552 wrote to memory of 2732	2552	wmpnkt32.exe	34
PID 2552 wrote to memory of 2732	2552	wmpnkt32.exe	34
PID 2552 wrote to memory of 2732	2552	wmpnkt32.exe	34
PID 2552 wrote to memory of 2732	2552	wmpnkt32.exe	34
PID 2552 wrote to memory of 2732	2552	wmpnkt32.exe	34
PID 2732 wrote to memory of 1628	2732	wmpnkt32.exe	35
PID 2732 wrote to memory of 1628	2732	wmpnkt32.exe	35
PID 2732 wrote to memory of 1628	2732	wmpnkt32.exe	35
PID 2732 wrote to memory of 1628	2732	wmpnkt32.exe	35
PID 1628 wrote to memory of 2240	1628	wmpnkt32.exe	36
PID 1628 wrote to memory of 2240	1628	wmpnkt32.exe	36
PID 1628 wrote to memory of 2240	1628	wmpnkt32.exe	36
PID 1628 wrote to memory of 2240	1628	wmpnkt32.exe	36
PID 1628 wrote to memory of 2240	1628	wmpnkt32.exe	36
PID 1628 wrote to memory of 2240	1628	wmpnkt32.exe	36
PID 1628 wrote to memory of 2240	1628	wmpnkt32.exe	36
PID 2240 wrote to memory of 1424	2240	wmpnkt32.exe	37
PID 2240 wrote to memory of 1424	2240	wmpnkt32.exe	37
PID 2240 wrote to memory of 1424	2240	wmpnkt32.exe	37
PID 2240 wrote to memory of 1424	2240	wmpnkt32.exe	37
PID 1424 wrote to memory of 1316	1424	wmpnkt32.exe	38
PID 1424 wrote to memory of 1316	1424	wmpnkt32.exe	38
PID 1424 wrote to memory of 1316	1424	wmpnkt32.exe	38
PID 1424 wrote to memory of 1316	1424	wmpnkt32.exe	38
PID 1424 wrote to memory of 1316	1424	wmpnkt32.exe	38
PID 1424 wrote to memory of 1316	1424	wmpnkt32.exe	38
PID 1424 wrote to memory of 1316	1424	wmpnkt32.exe	38
PID 1316 wrote to memory of 2148	1316	wmpnkt32.exe	39
PID 1316 wrote to memory of 2148	1316	wmpnkt32.exe	39
PID 1316 wrote to memory of 2148	1316	wmpnkt32.exe	39
PID 1316 wrote to memory of 2148	1316	wmpnkt32.exe	39
PID 2148 wrote to memory of 2400	2148	wmpnkt32.exe	40
PID 2148 wrote to memory of 2400	2148	wmpnkt32.exe	40
PID 2148 wrote to memory of 2400	2148	wmpnkt32.exe	40
PID 2148 wrote to memory of 2400	2148	wmpnkt32.exe	40
PID 2148 wrote to memory of 2400	2148	wmpnkt32.exe	40
PID 2148 wrote to memory of 2400	2148	wmpnkt32.exe	40
PID 2148 wrote to memory of 2400	2148	wmpnkt32.exe	40
PID 2400 wrote to memory of 1032	2400	wmpnkt32.exe	41
PID 2400 wrote to memory of 1032	2400	wmpnkt32.exe	41

C:\Users\Admin\AppData\Local\Temp\677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\677db9afd4a7dab39e559cbfcb8de21d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\SysWOW64\wmpnkt32.exe
    "C:\Windows\system32\wmpnkt32.exe" C:\Users\Admin\AppData\Local\Temp\677DB9~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\wmpnkt32.exe
      "C:\Windows\system32\wmpnkt32.exe" C:\Users\Admin\AppData\Local\Temp\677DB9~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1032
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2100
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:576
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1568
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1076
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2524
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1960
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
        
        C:\Windows\SysWOW64\wmpnkt32.exe
        
        "C:\Windows\system32\wmpnkt32.exe" C:\Windows\SysWOW64\wmpnkt32.exe
        25⤵
        Executes dropped EXE
        
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmpnkt32.exe

Filesize
152KB

MD5
677db9afd4a7dab39e559cbfcb8de21d

SHA1
ddd9249eae614e40c351f953a59f73a3c9a066a9

SHA256
c246562d445a87510ca922f72562f5643774f534d87150b5ea419f33e152fd10

SHA512
2a64376f0f7dcc42620ff7a41c7000f7385c95818c0771ef056720c438ea9c318f2f572052c1d0024c4ae2d17c6169a9c94de82151513d57c92ecd8123d7f92e

Download Submit
memory/340-3-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-21-0x0000000003490000-0x00000000034BA000-memory.dmp

Filesize
168KB

Download
memory/340-5-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-1-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-10-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-11-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-26-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-23-0x0000000003490000-0x00000000034BA000-memory.dmp

Filesize
168KB

Download
memory/544-224-0x0000000002FB0000-0x0000000002FDA000-memory.dmp

Filesize
168KB

Download
memory/544-228-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/576-175-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/576-181-0x0000000003300000-0x000000000332A000-memory.dmp

Filesize
168KB

Download
memory/576-184-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1032-138-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1032-152-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1076-217-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1076-202-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1076-216-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1244-256-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1316-117-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1316-114-0x0000000003210000-0x000000000323A000-memory.dmp

Filesize
168KB

Download
memory/1424-107-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1424-94-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1468-259-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1468-255-0x00000000032D0000-0x00000000032FA000-memory.dmp

Filesize
168KB

Download
memory/1556-162-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1556-153-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1556-159-0x0000000003100000-0x000000000312A000-memory.dmp

Filesize
168KB

Download
memory/1568-195-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1628-85-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1628-71-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-252-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-241-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2080-201-0x0000000003310000-0x000000000333A000-memory.dmp

Filesize
168KB

Download
memory/2080-205-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2100-172-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2148-128-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2148-119-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2200-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2200-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2240-92-0x00000000031C0000-0x00000000031EA000-memory.dmp

Filesize
168KB

Download
memory/2240-97-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2240-87-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2400-141-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2400-137-0x0000000003200000-0x000000000322A000-memory.dmp

Filesize
168KB

Download
memory/2400-131-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2400-136-0x0000000003200000-0x000000000322A000-memory.dmp

Filesize
168KB

Download
memory/2524-236-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-225-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2552-48-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2552-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2552-53-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2620-41-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2620-51-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2620-47-0x0000000002EC0000-0x0000000002EEA000-memory.dmp

Filesize
168KB

Download
memory/2620-40-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2620-46-0x0000000002EC0000-0x0000000002EEA000-memory.dmp

Filesize
168KB

Download
memory/2620-39-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2620-45-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2620-38-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2632-240-0x0000000003430000-0x000000000345A000-memory.dmp

Filesize
168KB

Download
memory/2632-238-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2632-244-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2732-64-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2732-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2732-66-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2732-70-0x00000000031C0000-0x00000000031EA000-memory.dmp

Filesize
168KB

Download
memory/2732-74-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download